SOC2 Evidence - Population Lists

Sample of possible population lists from an auditor

• List of all in-scope application code changes related to in-house development applications that have occurred during the review period
• List of all network related changes to firewall and/or router rule set configurations that have occurred within the in-scope environment during the review period
• List of all incidents reported during the review period
• List of all company owned laptops and/or BYOD devices utilized within or that can connect to the in-scope environments.
• List of all new hires during the review period
• Inventory list of all servers and workstations utilized within the in-scope environments with details of their primary function/role (e.g. file server, domain controller, web server, application server, database server, desktop, etc.).
• List of all system changes made during the review period, to include:- all in-scope application changes- all in-scope database changes- all in-scope operating system changes
• List of all terminated employees during the review period
• List of all vendors and contractors used for in-scope services during the review period
• List of all transferred or reassigned employees employees during the review period
• List of vulnerabilities, deviations, and control gaps that required remediation identified during the review period
• List of Executive Management (e.g. President, CIO, CTO, CEO, CFO, etc) Members
• List of all the installed patches applied to information systems in the past 12 months
• List of all current employees during the review period
• List of all customers during the review period
• List of all data disposals (e.g. system disposals, hardware purging, document destruction, etc.) during the review period